iTP Secure WebServer System Administrators Guide (Version 7.5+)

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

271

272

273

274

275

276

277

278

279

280

The TLS Handshake Protocol provides connection security where:

• The communicating entities are authenticated using asymmetric cryptography or public key

cryptography (for example, RSA, DSS).

• The secret keys shared between the communicating entities cannot be accessed by

eavesdroppers or any other entity placed in the connection.

• The secret keys shared cannot be modified by any other party without the knowledge of the

communicating entities.

Secure Sockets Layer (SSL)

This subsection describes:

• “What SSL Does” (page 274)

• “SSL 3.0 Protocol Enhancements Over SSL 2.0” (page 274)

• “Deploying TLS and SSL” (page 274)

What SSL Does

The Secure Sockets Layer ( SSL) protocol provides channel security for all communications between

a Web client and a server during any session for which SSL is operative.

SSL provides the following types of security between a Web client and a server:

After a simple handshake to define a secret key, all messages between the Web client

and server are encrypted.

Private

The server is always authenticated with its public key certificate. The Web client is

optionally authenticated to the server.

Authenticated

The message transport uses a message authentication code (MAC) to check that

messages are not modified in transit.

Reliable

Because SSL and HTTP are different protocols and typically use different port numbers (such as

443 and 80, respectively), the iTP Secure WebServer can handle secure and standard clients

simultaneously. As a result, some information can be provided to users in unencrypted form while

other information can be provided only in encrypted form.

SSL 3.0 Protocol Enhancements Over SSL 2.0

SSL 3.0 includes a number of enhancements over SSL 2.0:

• Requires fewer handshake messages, therefore allowing faster handshakes.

• Supports additional key-exchange and encryption algorithms (for example, Diffie-Hellman,

Fortezza). However, the iTP Secure WebServer supports only the RSA key-exchange algorithm.

• Supports hardware tokens in the form of Fortezza cards. This is the first step toward more

general support for cryptography-capable smart cards.

• Includes an improved client certificate request protocol, allowing a server to specify a list of

CAs that it trusts to issue client certificates. The Web client returns a certificate signed by one

of those CAs; if the server does not have such a certificate, the connection handshake fails.

This improvement frees users from having to choose a certificate for each connection. (For

more information about the certificate request protocol, see “Requesting a Certificate”

(page 59).)

Deploying TLS and SSL

To deploy TLS or SSL on a server:

1. Configure and enable a server to use the TLS or SSL security protocol.

2. Use the Region command to use TLS or SSL on specific server contents.

274 Security Concepts